Skip to content

Commit 9e3a783

Browse files
pmlopesvietj
authored andcommitted
Fix the webroot escape to classpath on windows
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>
1 parent 1c3a0b1 commit 9e3a783

File tree

2 files changed

+61
-1
lines changed

2 files changed

+61
-1
lines changed

Diff for: vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java

+4-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import io.vertx.core.http.HttpHeaders;
2121
import io.vertx.core.http.HttpServerRequest;
2222
import io.vertx.core.http.HttpServerResponse;
23+
import io.vertx.core.http.impl.HttpUtils;
2324
import io.vertx.ext.web.Route;
2425
import io.vertx.ext.web.RoutingContext;
2526

@@ -73,10 +74,12 @@ public static String pathOffset(String path, RoutingContext context) {
7374
}
7475

7576
if (!route.isExactPath()) {
76-
final String rest = context.pathParam("*");
77+
String rest = context.pathParam("*");
7778
if (rest != null) {
7879
// normalize
7980
if (rest.length() > 0) {
81+
// remove any attempt to escape the web root and use UNIX style path separators
82+
rest = HttpUtils.removeDots(rest.replace('\\', '/'));
8083
if (rest.charAt(0) == '/') {
8184
return rest;
8285
} else {
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
/*
2+
* Copyright 2014 Red Hat, Inc.
3+
*
4+
* All rights reserved. This program and the accompanying materials
5+
* are made available under the terms of the Eclipse Public License v1.0
6+
* and Apache License v2.0 which accompanies this distribution.
7+
*
8+
* The Eclipse Public License is available at
9+
* http://www.eclipse.org/legal/epl-v10.html
10+
*
11+
* The Apache License v2.0 is available at
12+
* http://www.opensource.org/licenses/apache2.0.php
13+
*
14+
* You may elect to redistribute this code under either of these licenses.
15+
*/
16+
17+
package io.vertx.ext.web.handler;
18+
19+
import io.vertx.core.http.HttpMethod;
20+
import io.vertx.ext.web.WebTestBase;
21+
import org.junit.Test;
22+
23+
public class StaticHandlerWindowsTest extends WebTestBase {
24+
25+
@Test
26+
public void testEscapeToClasspathFromWildcard() throws Exception {
27+
router.clear();
28+
router.route("/*").handler(StaticHandler.create("www"));
29+
// attempt to escape to classpath, given that the handler is mounted on a wildcard,
30+
// reading the wildcard must return a sanitized path and therefore not allow to escape.
31+
testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found");
32+
}
33+
34+
@Test
35+
public void testEscapeToClasspathFromNull() throws Exception {
36+
router.clear();
37+
router.route().handler(StaticHandler.create("www"));
38+
// attempt to escape to classpath, given that the handler is mounted on a catch all path
39+
testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found");
40+
}
41+
42+
@Test
43+
public void testEscapeToClasspathFromRegEx() throws Exception {
44+
router.clear();
45+
router.routeWithRegex(".*").handler(StaticHandler.create("www"));
46+
// attempt to escape to classpath, given that the handler is mounted on a regex,
47+
testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found");
48+
}
49+
50+
@Test
51+
public void testEscapeToClasspathFromFixedPath() throws Exception {
52+
router.clear();
53+
router.routeWithRegex("/").handler(StaticHandler.create("www"));
54+
// attempt to escape to classpath, given that the handler is mounted on a regex,
55+
testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found");
56+
}
57+
}

0 commit comments

Comments
 (0)